After a successful login in which my Web App receives the TokenResponse - containing the access_token, expirations time, id_token, refresh_token, token_type - and sends the access token down to the client to make subsequent calls to my Web App, how do I validate the access token and the identity of the user? Should the access token be the Authorization Bearer token or should the identity_token be the Authorization Bearer token? Do the steps below make sense? or do I have something mixed up?
- When the user first signs in on the client, Apple ID server sends back the Client ID, Identity Token, Authorization Code
- Client app sends those 3 credentials to the Web API
- The Web API FIRST checks the validity of the Identity Token, NEXT, if verified, calls Apple ID servers (https://appleid.apple.com/auth/token) to get the TokenResponse (contains access_token, expiration time, id_token, refresh_token, token_type)
- Web API stores the refresh_token on the DB
- Web API sends the the access_token to client.
- Client sends access_token on all subsequent calls to Web API